elastic · nastasha-solomon · Feb 10, 2025 · Feb 4, 2025 · Feb 5, 2025 · Feb 6, 2025
@@ -6,6 +6,7 @@ This section summarizes the changes in each release.
 * <<release-notes-8.17.2, {elastic-sec} version 8.17.2>>
 * <<release-notes-8.17.1, {elastic-sec} version 8.17.1>>
 * <<release-notes-8.17.0, {elastic-sec} version 8.17.0>>
+* <<release-notes-8.16.4, {elastic-sec} version 8.16.4>>
 * <<release-notes-8.16.3, {elastic-sec} version 8.16.3>>
 * <<release-notes-8.16.2, {elastic-sec} version 8.16.2>>
 * <<release-notes-8.16.1, {elastic-sec} version 8.16.1>>

@@ -1,6 +1,61 @@
 [[release-notes-header-8.16.0]]
 == 8.16
 
+[discrete]
+[[release-notes-8.16.4]]
+=== 8.16.4
+
+[discrete]
+[[known-issue-8.16.4]]
+==== Known issues
+
+// tag::known-issue[]
+[discrete]
+.Duplicate alerts can be produced from manually running threshold rules 
+[%collapsible]
+====
+*Details* +
+On November 12, 2024, it was discovered that manually running threshold rules could produce duplicate alerts if the date range was already covered by a scheduled rule execution.
+====
+// end::known-issue[]
+
+// tag::known-issue[]
+[discrete]
+.Manually running custom query rules with suppression could suppress more alerts than expected
+[%collapsible]
+====
+*Details* +
+On November 12, 2024, it was discovered that manually running a custom query rule with suppression could incorrectly inflate the number of suppressed alerts. 
+====
+// end::known-issue[]
+
+[discrete]
+[[features-8.16.4]]
+==== New features
+* Adds the `advanced.malware.max_file_size_bytes` <<adv-policy-settings,advanced policy setting>>, which allows you to control the maximum file size for malware protection.
+
+[discrete]
+[[enhancements-8.16.4]]
+==== Enhancements
+* Enhances the performance of {elastic-defend} network events monitoring for better CPU utilization and responsiveness.
+* Adds byte counts to Linux {elastic-defend} network disconnect events.
+
+[discrete]
+[[bug-fixes-8.16.4]]
+==== Bug fixes
+* Ensures that multiple IPs are displayed as individual links in the Alerts table, even if they're passed as a single string ({kibana-pull}209475[#209475]).
+* Fixes an AI Assistant bug that prevented you from selecting different connector types after initially choosing one ({kibana-pull}208969[#208969]).
+* Adds missing fields to Automatic Import's input manifest templates ({kibana-pull}208768[#208768]).
+* Ensures that Automatic Import's structured log template surrounds single backslashes with single quotes when the backslash is used as an escape character ({kibana-pull}209736[#209736]).
+* Adds fields that are missing from Automatic Import's `aws-s3-manifest.yml` file ({kibana-pull}208080[#208080]).
+* Allows {elastic-defend} to detect or prevent malware process or image loads from WebDAV servers.
+* Allows {elastic-defend} to bypass network traffic from other computers when promiscuous mode is enabled on Windows. 
+* Fixes a bug with the `get-file` Endpoint response action. When you used the `get-file` response action to retrieve a Windows Alternate Data Stream, the resulting `.zip` archive  would contain a checksum error that made it unusable by most zip tools.
+* Increases the maximum number of ETW buffers that {elastic-defend} can use.
+* Fixes a bug in {elastic-defend} where a combination of "descendent of process" event filters and unenriched events would not match other event filters.
+* Fixes an issue where {elastic-defend} wasn't correctly populating `event.created` for process events on Windows.
+* When aggregating events, {elastic-defend} was using the final event's timestamp for the aggregated event, which was a bug. Now, {elastic-defend} will use the first event's timestamp as originally intended.
+
 [discrete]
 [[release-notes-8.16.3]]
 === 8.16.3